77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

Analysis

max time kernel
151s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
Size

66KB
MD5

93997cdd709e87d47ba526d564d1b7b0
SHA1

e4be49330d9f8314475cd928e86d5b9b3f91fdb8
SHA256

77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81
SHA512

8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43
SSDEEP

1536:HLINO/hw9L08Ck0WSfd1/Vjci90BFQq3e60hI5BcgCFC1eX4W/G9ItTYr8G:rIqq/Ck0W09wi99q3ah+cgC81eX4WgI+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	urdvxc.exe

Executes dropped EXE 4 IoCs

pid	Process
4928	urdvxc.exe
1796	urdvxc.exe
4684	urdvxc.exe
3056	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\njqrsbcq.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	urdvxc.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "qhkxrvesnsrbjjzb"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "vhqwtxnjrlncbvrx"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A41B5D8D-B388-24D8-1131-2E860EC37EC4}\ = "nchhxjtsxvbhnnrr"	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A41B5D8D-B388-24D8-1131-2E860EC37EC4}	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "tnjxebjrjrsjvtwx"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "wjntzrlskbsrrjvs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "sjncernbkrhjbchr"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "bhcwltckkhnrekne"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "bcertnstkejletkt"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A41B5D8D-B388-24D8-1131-2E860EC37EC4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.93997cdd709e87d47ba526d564d1b7b0.exe"	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "leetztehblsbwthh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "evrhhtvnxnrrvkcc"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "xjzjrzbrntjkwqtk"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jsbhqzzknwlshbkl"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "chtjwjxkerjexele"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tkxbbenbthtlnest"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "vkrnblsbnllelvjr"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A41B5D8D-B388-24D8-1131-2E860EC37EC4}\LocalServer32	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4928	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	82
PID 1160 wrote to memory of 4928	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	82
PID 1160 wrote to memory of 4928	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	82
PID 1160 wrote to memory of 1796	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	83
PID 1160 wrote to memory of 1796	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	83
PID 1160 wrote to memory of 1796	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	83
PID 1160 wrote to memory of 3056	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	85
PID 1160 wrote to memory of 3056	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	85
PID 1160 wrote to memory of 3056	1160	NEAS.93997cdd709e87d47ba526d564d1b7b0.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.93997cdd709e87d47ba526d564d1b7b0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1796
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.93997cdd709e87d47ba526d564d1b7b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:3056

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:4684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
93997cdd709e87d47ba526d564d1b7b0

SHA1
e4be49330d9f8314475cd928e86d5b9b3f91fdb8

SHA256
77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

SHA512
8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
93997cdd709e87d47ba526d564d1b7b0

SHA1
e4be49330d9f8314475cd928e86d5b9b3f91fdb8

SHA256
77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

SHA512
8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
93997cdd709e87d47ba526d564d1b7b0

SHA1
e4be49330d9f8314475cd928e86d5b9b3f91fdb8

SHA256
77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

SHA512
8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
93997cdd709e87d47ba526d564d1b7b0

SHA1
e4be49330d9f8314475cd928e86d5b9b3f91fdb8

SHA256
77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

SHA512
8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
93997cdd709e87d47ba526d564d1b7b0

SHA1
e4be49330d9f8314475cd928e86d5b9b3f91fdb8

SHA256
77686f007bd28fb2acc4f037427934bb605bad7e2ad31e8b4f77980ebe99ad81

SHA512
8c5e6ab8b9c3575bb7d16d081fd87d79a84598d7659fe47c274b968de79439ac16c4f7223cc7d50aeb907928725fff3289a9e91ed55d2b29c9e25a2ac388af43

Download Submit
memory/1160-20-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1160-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1160-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1796-10-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/1796-13-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3056-21-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4684-46-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-14-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-26-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-27-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-31-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-33-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-36-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-38-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-42-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-12-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-50-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-15-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-78-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-79-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4684-186-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4928-6-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4928-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4928-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download